Abstract
Numerous network anomaly detection techniques utilize traffic summaries (e.g., NetFlow records) to detect and diagnose attacks. In this paper we investigate the limits of such approaches, by introducing a technique by which compromised hosts can communicate without altering the behavior of the network as evidenced in summary records of many common types. Our technique builds on two key observations. First, network anomaly detection based on payload-oblivious traffic summaries admits a new type of covert embedding in which compromised nodes embed content in the space vacated by compressing the payloads of packets already in transit between them. Second, point-to-point covert channels can serve as a "data link layer" over which routing protocols can be run, enabling more functional covert networking than previously explored. We investigate the combination of these ideas, which we term Summary-Invisible Networking (SIN), to determine both the covert networking capacities that an attacker can realize in various tasks and the possibilities for defenders to detect these activities. © 2011 Springer-Verlag.
Author supplied keywords
Cite
CITATION STYLE
Wei, L., Reiter, M. K., & Mayer-Patel, K. (2011). Summary-invisible networking: Techniques and defenses. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6531 LNCS, pp. 210–225). Springer Verlag. https://doi.org/10.1007/978-3-642-18178-8_19
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
